Sunday, September 24, 2017

Google Will Reject Symantec's SSL Certificates

Google announced that Chrome 70 (to be released on Oct. 23, 2018) will fully "remove trust in Symantec's old infrastructure and all of the certificates it has issued. This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google." Google advises to purge digital certificates that were issued by Symantec before June 1, 2016.

That's because Google believes that Symantec's digital certificates are vulnerable to attacks due to lack of quality control by Symantec. Google said that Symantec had issued digital certificates to requesters who were not verified thoroughly enough. As a result, Google alleges that 30,000 certificates had been issued improperly, although Symantec insists that only 127 were suspicious.

Symantec held approximately 30 percent of the TLS/SSL market after the company had acquired  certificate businesses branches of VeriSign, Thawte, Equifax and others. But last month, Symantec announced its plan to sell the website security and PKI business to DigiCert for $950 million plus 30 percent in common stock equity.

What To Do?

Replace the certificates issued by Symantec before June 1, 2016, before the release of Chrome 66. That version of the browser will be released in beta on March 15, 2018.  Google has issued the following reference timeline of relevant dates for site operators: